Blue Team Tools

Paths

Blue Team Tools

Authors: Aaron Rosenmund, Josh Stroschein, Shoaib Arshad, Zach Roof, Guillaume Ross

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a... Read more

What you will learn

  • What the function of the tool is
  • Where to get it
  • How to use the tool to fill a gap in enterprise security

Pre-requisites

  • Security fundamentals
  • Ethical hacking fundamentals
  • Security testing fundamentals

Introduction

The first course in this series discusses the use of open source, blue team tools to fill the gaps in your enterprise security, in turn, enable your information security organization to evolve their capabilities as fast as the threat actors you are defending against.

Blue Team Tools: Defense against Adversary Activity Using MITRE Techniques

by Aaron Rosenmund

Dec 9, 2020 / 19m

19m

Start Course
Description

Blue Teams have one of the most challenging jobs in the world, finding the bad actor needle in the mound of needles. Attacker techniques are continually evolving, and the threat surface and required data for analysis is constantly increasing. In this course, Blue Team Tools: Defense against Adversary Activity using MITRE Techniques, you'll cover how to utilize Blue Team Tools to protect, detect, and respond against targeted threat actor techniques in an enterprise environment. First, you'll learn the purpose and origin of Blue Team Tools and the functions that they fulfill in modern cybersecurity organizations. Next, you'll leverage MITRE ATT&CK and Shield to get a 360-degree view of attack scenarios and the data and capabilities you need to stop them. Finally, you'll analyze your organization's tooling gaps and how Blue Team Tools can fill them. When you're finished with this course, you'll have the skills and knowledge to leverage the Blue Team Tools skill path to enable your security organization to evolve their capabilities as fast as the threat actors you are defending against.

Table of contents
  1. Course Overview
  2. Blue Team Tool’s Vital Role in Enterprise Security
  3. Resources

Network Analysis

In this section, you will learn about the tools associated with network analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.

Network Analysis with Arkime

by Josh Stroschein

Dec 11, 2020 / 45m

45m

Start Course
Description

Finding undetected threats in your network through proactive network analysis requires the right tools. In this course, Network Analysis with Arkime, you’ll learn how to utilize Arkime to detect anomalous or malicious network traffic in an enterprise environment. First, you'll gain insight into how to detect common malware delivery patterns. Next, you’ll learn how to use Arkime to identify malware command and control. Finally, you’ll utilize the many features of Arkime to identify data exfiltration. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques using Arkime.

Table of contents
  1. Course Overview
  2. Identifying Initial Access, Command and Control, and Data Exfiltration with Arkime
  3. Resources

OS Analysis

In this section, you will learn about the tools associated with OS analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.

OS Analysis with HELK

by Aaron Rosenmund

Jul 21, 2020 / 29m

29m

Start Course
Description

Though many cyber attack techniques can be effectively and heuristically identified by analyzing the endpoint logs, there are surprisingly few capabilities that focus solely on parsing windows logs and OS data and providing a platform to perform advanced statistical analysis. In this course, OS Analysis with HELK, you’ll cover how to utilize Hunt ELK to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll see the gap that HELK fills with Windows event log analysis. Next, you'll explore how to operate the advanced hunt features provided by HELK. Finally, you’ll learn how to analyze a live dataset to hunt for adversary activity. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Kerberoasting T1208, Bits Jobs T1197, and indicator removal on hosts T1070 using HELK.

Table of contents
  1. Course Overview
  2. Using Windows Event Logs with HELK to Hunt for Advanced Adversary Activity
  3. Resources

OS Analysis with RegRipper

by Shoaib Arshad

Sep 1, 2020 / 39m

39m

Start Course
Description

Windows Registry analysis is a fundamental step during any incident response scenario, as it provides conclusive evidence needed to support or deny any suspicious activity on a Windows system. In this course, you’ll cover how to utilize RegRipper to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll demonstrate the RegRipper plugins which are a unique approach for Registry analysis. Next, you’ll operate RegRipper to run against various registry hives using a custom set of plugins. Finally, you’ll analyze Windows Registry to detect adversary activity on a Windows host. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Create or Modify System Process (T1543), Boot or Logon Autostart Execution (T1547), Exfiltration Over Physical Medium (T1052), using RegRipper.

Table of contents
  1. Course Overview (Tool Introduction)
  2. Analyzing Windows Registry with RegRipper
  3. Resources

OS Analysis with Wazuh

by Zach Roof

Dec 21, 2020 / 36m

36m

Start Course
Description

Detecting process-level and file-level attacks can be challenging. Additionally, many tools are "alert factories" that don't have the ability to remediate in-progress attacks. Luckily, Wazuh solves these problems! In this course, OS Analysis with Wazuh, you'll cover how to utilize Wazuh to respond to data exfiltration in an enterprise environment. First, you'll create a rule to detect malicious filesystem operations. Next, you'll uncover a rootkit through Wazuh by using a Python script. Finally, you'll leverage Wazuh's Active Response functionality to automatically quarantine the host (and prevent it from exfiltrating data). In this course, you will simulate all attacks through Merlin (a popular C2 service) so we can emulate real-world scenarios! (No prior Merlin experience is needed). When you're finished with this course, you'll have the skills and knowledge to detect these techniques: Scheduled Task/Job (T1053), Hijack Execution Flow (T1574), and Exfiltration Over C2 Channel (T1041).

Table of contents
  1. Course Overview
  2. Detecting Process-level and File-level Attacks with Wazuh
  3. Resources

Infrastructure Analysis

In this section, you will learn about the tools associated with infrastructure analysis to detect related data source TTPs and actively meet the adversary's activity with a response before you encounter it.

Cloud Infrastructure Analysis with Scout Suite

by Guillaume Ross

Jun 15, 2020 / 29m

29m

Start Course
Description

It is impossible to manually identify all dangerous configurations, given how cloud services are exploding in numbers and complexity. In this course, Cloud Infrastructure Analysis with Scout Suite, you will gain the ability to identify cloud configuration issues with Scout Suite. First, you will learn how to create a vulnerable cloud environment. Next, you will discover how to install Scout Suite with minimal privileges. Finally, you will explore how to analyze the vulnerable cloud environment with Scout Suite. When you are finished with this course, you will have the skills and knowledge of Scout Suite needed to analyze cloud deployments for security issues.

Table of contents
  1. Course Overview
  2. Discovering Unsafe Cloud Configurations with Scout Suite
  3. Resources